March 14, 2005

Protecting the Internet - Certified Attachments and Reverse Firewalls?

In may respects the internet is going to hell in a hand basket.

Spam, phishing, DNS poisoning, DDoS attacks, viruses, worms, and the like make the net a sick place.  It is bad enough that bad folks are doing this.  But it is worse that just about every user computer on the net offers a nice fertile place for such ill behavior to be secretly planted and operated as a zombie under the control of a distant and unknown zombie farmer.

Most people still think that the the main risk of being on the net is the risk that one's own machine might be damaged from things lurking out there on the net.

Some of us are coming to the converse point of view - that the net is being endangered by the masses of ill-protected machines operated by users.

For a decades upon decades Ma Bell (AT&T) insisted that the telephone networks be protected against the dangers of non-Bell phones and other equipment.  This reached the height of absurdity with the Hush-A-Phone case when AT&T claimed that an innocent plastic hand could deafen operators, shock linemen off of poles, and otherwise wreck havoc.

Yet Ma Bell had a point - the telephone network could be damaged if I were to plug my Tesla-Coil Phone or my Arc-Welder Phone into the little phone jack on my wall.  There clearly are some limits.

And those limits were found - today in the US, and I imagine in most other countries, telephones must pass muster and obtain a certification before they may be legally plugged into the telephone network.

Is it unreasonable to conceive of a day, perhaps a day not all that far distant, when only certified equipment can be legally plugged into the internet?

When this thought first went through my head I said, nah, no way.  I was thinking "a requirement to certify personal computers is a death knell for the kind of innovation we have had inside PC's."  But then I looked at my own setups and considered how most people connect to the net: via intermediary boxes.  It occurred to me that what would have to be certified are those intermediary boxes, not the user PC's or the software they run.

At home I have a nice little router attached, in turn, by my nice little DSL box.  These sit between me (the user) and the network.  These are in a position not unlike that of the old ISDN NT-1 protection device.  At the office I have a not-so-little router that sits between the internet at-large and my office networks.

The  burden of certification would fall on exactly those companies best prepared to deal with the issue - companies like Cisco (Linksys) or Netgear - who build attachment devices.  These devices are not open to general programming and have a well defined, and relatively fixed, function.

In order to obtain a certificate these devices would have to demonstrate that they offer robust protection to the network from adverse behavior on the customer side of the internet/customer-premise demarcation.  In other words, part of the certificate would require that the device operate as a reverse firewall.

That's easier to write than to do.  When viewed through a peephole in which packets are observed one at a time or with only limited context, it is difficult to recognize and block behavior that constitutes a danger to the internet.  (In fact the whole idea of what kinds of actions are dangerous is still somewhat obscure and few objective principles have been enunciated - and I once more refer to my First Law of the Internet as an attempt to propose one such principle.)

Despite the difficulty of finding a fully satisfying general definition there are certainly several specific things that could be required for a certificate.  For example the following restrictions on out flowing packets could be implemented without too much effort and would not significantly impair anyone's ability to use the internet and create new innovative uses.

  • Block the outflow of packets bearing false source addresses.
  • Block certain illegal bit patterns (e.g. TCP SYN+FIN or FIN+RST).
  • Require TCP packets to be related to established connections.
  • Block IP fragments and excessive ICMP activity.

I'm sure that this list could be easily extended without getting into contentious issues such as how a user might offer a network service rather than simply being a consumer of such services.

Bad people will ignore the requirement.  But if good folks, the kind of people who make up the vast majority of machine owners, did use a certified attachment device than today's big zombie farms would lose much of their ability to do bad things.

There are certain other potential benefits.  For example a certified box on the customer demarcation is a nice place to do remote loop backs so that ISPs could more quickly diagnose and resolve service issues.

Of course this is yet another layer of regulation.  And it's imperfect and incomplete - it's not a panacea.  But I am not convinced that it is an idea that should be discarded without serious contemplation of the costs (long and short term) and the benefits.

Posted by karl at March 14, 2005 12:37 AM